Vigilante Hackers use Old West Tactics for Justice

dismorphic writes "Angered by the growing number of Internet scams, online 'vigilantes' have started to take justice into their own hands by hacking into suspected fraud sites and defacing them. These hackers have targeted fake websites set up to resemble the sites of banks or financial institutions in recent weeks, and have inserted new pages or messages. Some say 'Warning - This was a Scam Site,' or 'This Bank Was Fraudulent and Is Now Removed.'" So maybe it's not a posse of horsemen, but it's still kinda cool that someone is taking care of those who would defraud the public.

Be wary of...

[xquark]

The links these so-called vigilantes place on those de-faced sites saying:

"link to the bank's real web site" ;)

he he he he he he :D

Regards

Arash Partow

________________________________________________ __
Be one who knows what they don't know,
Instead of being one who knows not what they don't know,
Thinking they know everything about all things.
http://www.partow.net/ [partow.net]

Re:Jury nullification

[ScentCone]

If it's common sense, regardless of the law, the people (in the form of a jury) can make it legal.

Not really. For example, if a person doesn't have appropriate charges brought up against them (or there are no such statutes), then there will never be an option for a jury to exercise. The jury might elect not to convict on something, but they can't cause a conviction (on other counts) where there should be one. This is particularly true where the nature of an act (like some innovative new form of online fraud, for example) hasn't been really contemplated by the justice system before.

Re:justice

[knBIS]

I got my first fraud email from some site claiming to be paypal the other day, and followed the link to see how convincing it was... The site looked pretty good (unless you check out the address bar... )

So i figured i'd try and login with some random user name and password... Well it seemed like they actually forward the information to paypal's site to check and see if its valid...

Maybe they just deny everyone who tries to login, but it looked like my browser was actually sending some information to paypal.com befroe the russian site told me that my info was invald... i didn't really want to try it with my real info, so i'm not really sure how it would behave if it recieved a good username/pass,,

So depending on how much effort they put into building the fake site, flooding it with bad date might be sort of useless

Re:justice

[future assassin]

Yes it is when fag ass scammers can send you an email that takes you to a site like this and scam you out of your cc info.
http://www.futureassassin.com/phish/dv_01.gif/ [futureassassin.com]
http://www.futureassassin.com/phish/dv_02.gif/ [futureassassin.com]
I reported this site to netcraft and they send me an email back confirming I found a phishign site. This site was shut down a few minutes later and the domain was put into REGISTRAR-HOLD

By the way if you are the first to discover a phish site netcraft sends you a present,. still waiting for mine :)

Re:justice

[v1]

but to say it's a bad idea to fight injustice because the criminals will just get better, that's a blanket justification that could be applied to all crime. The result of widespread adoption of that mindset would be "anarchy".

If you don't fight back, you are perceived as weak. Criminals prefer to prey on the weak. So by not fighting back, you are making yourself an attractive target, and will be exploited.

Vigilante justice occurs when a group is doing something that the general public can openly agree is wrong, but for which there is no formal law or rule forbidding. The populace takes action independently to protect themselves until which time the appropriate laws are passed.

"Old West Tactics"

[Wyatt Earp]

I'm a Middle East (1917-1995) Historian by day and an Old West Historian by night.

This really isn't an "Old West" tactic, but a tactic used in the United States, UK and other nations with a tradition of Common Law or the inclusion of extensive non-statutory law reflecting a consensus of centuries of judgements by working jurists.

As times changed laws became codified and the power of the People to enforce the law were erodded in the United States and other countries.

A Judge had to own 500 acres of land without debt on the land and they had the power to cherry pick what they wanted in terms of the law for the circumstances. Law then was terrible complicated, looking at a History of American Law by Lawrence M. Friedman shows that it's terrible complex and not nearly codified enough to just throw out a list of laws and punishments. Since the law on the frontier was often a copy/paste affair and made up by the Judges and not codified, a Judge had the power to make up laws. Like Evesdroping in 1808 or Droping a Dead Body into a River in 1821. Federal Judges started to go wild with common law crimes after U.S. V. Hudson and Goodwin in 1812.

This case allowed a Federal Judge or define a crime and issue a punishment for it. Codification would stop this by defining what was a crime, and stop a Judge from making up a crime.

A Posse wasn't normally a group of people acting as vigilanties, but a Posse is a group deputized by a Law Enforcment agent (Town Marshal, Sheriff, Federal Agent, etc) for a fixed duration or event since communities didn't have large standing forces.

Some examples from an essay I found on the web a while back while researching the law in the 1860s

Citizen's Arrest

Students of the law should note that both a statutory and common law basis for a certain degree of "vigilante behavior" is well founded. Indeed, in an era of lawlessness it is important that readers be advised as to their lawful right to protect their communities, loved ones and themselves by making lawful citizens' arrests.

First, what is an arrest?

We can thank Black's Law Dictionary for a good definition: "The apprehending or detaining of a person in order to be forthcoming to answer an alleged or suspected crime." See Ex parte Sherwood, (29 Tex. App. 334, 15 S.W. 812).

Historically, in Anglo Saxon law in medieval England citizen's arrests were an important part of community law enforcement. Sheriffs encouraged and relied upon active participation by able bodied persons in the towns and villages of their jurisdiction. From this legacy originated the concept of the posse comitatus which is a part of the United States legal tradition as well as the English. In medieval England, the right of private persons to make arrests was virtually identical to the right of a sheriff and constable to do so.

A strong argument can be made that the right to make a citizen's arrest is a constitutionally protected right under the Ninth Amendment as its impact includes the individual's natural right to self preservation and the defense of the others. Indeed, the laws of citizens arrest appear to be predicated upon the effectiveness of the Second Amendment. Simply put, without firepower, people are less likely going to be able to make a citizen's arrest. A random sampling of the various states as well as the District of Columbia indicates that a citizen's arrest is valid when a public offense was committed in the presence of the arresting private citizen or when the arresting private citizen has a reasonable belief that the suspect has committed a felony, whether or not in the presence of the arresting citizen.

District of Columbia Law 23- 582(b) reads as follows:
(b) A private person may arrest another -
(1) who he has probable cause to believe is committing in his presence -
(A) a felony, or
(B) an offense enumerated in section 23-581 (a)(2); or
(2) in aid of a law enforcement officer or special policeman, or other person authorized by law to make a

Re:Hacker Man!

[Anonymous Coward]

"Particle Man" is itself a take-off on an older, comics-inspired tune about your friendly neighborhood Spider-Man.

Re:Retribution

[Raindance]

Hah. Good idea.

I hope you're giving the phishing sites numerically valid credit card numbers- essentially there's a checksum hidden in a card number. Phishers can screen out completely randomly generated card numbers because their checksum doesn't match.

Here's a link to the algorithm*
http://www.beachnet.com/~hstiles/cardtype.html [beachnet.com]

Enjoy.

*No, reverse-engineering the algorithm won't generate a valid card, but it'll generate a "not obviously invalid" card.

Re:Retribution

[athakur999]

There's not much to it. Here was the last one I used. In this case it was bank site asking for an ATM card number, PIN number, etc. Adapting it to other sites wouldn't be hard. The way I'm generating numbers would probably get rejected if you tried to use it for credit card numbers but this particular phishing script didn't seem to do any verification so I didn't bother...

for ($i = 0; $i 100; $i++) {

$ssn = sprintf("%03d%02d%04d", rand(100, 999), rand(0, 99), rand(0, 9999));
$cardnumber = sprintf("%04d%04d%04d%04d", rand(0, 9999), rand(0, 9999), rand(0, 9999), rand(0, 9999));
if (rand(0,1)) $cardnumber .= rand(0,9);

$expmonth = sprintf("%02d", rand(1, 12));
$expyear = rand(2005, 2011);
$cardpin = sprintf("%04d", rand(0, 9999));

for($len=10,$r1='';strlen($r1)$len;$r1.=chr(!mt_ ra nd(0,2)?
mt_rand(48,57):(!mt_rand(0,1)?mt_rand(65 ,90):mt_ra nd
(97,122))));

for($len=10,$r2='';strlen($r2)$len;$r2.=chr(!mt_ ra nd(0,2)?
mt_rand(48,57):(!mt_rand(0,1)?mt_rand(65 ,90):mt_ra nd
(97,122))));

$email = "{$r1}@{$r2}.com";

echo "$ssn\n$cardnumber\n$expmonth\n$expyear\n$cardpin\ n$email\n";

$ch = curl_init();
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "ssn={$ssn}&cardnumber={$cardnumber}&expmonth={$ex pmonth}&expyear={$expyear}&cardpin=
{$cardpin}&em ail={$email}&statement=&btnContinue0. x=64&btnContinue0.y=9");
curl_setopt($ch, CURLOPT_URL, 'http://www.ewwf.ro/KeyBank/enroll.php');
curl_se topt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040929 Firefox/0.10
');
curl_setopt($ch, CURLOPT_REFERER, 'http://www.marumitu.com/KeyBank/enroll_auth.html' );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 300);
$result=curl_exec($ch);
curl_close($ch);

}

Re:Reminds me of...

[Dachannien]

All this really means is that eventually phishers and scammers will get smarter and run TrustedBSD, OpenBSD, SELinux, or some other hardened variant using mainly static pages and highly developed systems. It's really a never ending battle.

According to a recent article [slashdot.org], many phishing websites are run on already insecure systems that are hacked by the phishers. This is a "good" idea from their perspective, as it makes them harder to trace. However, in such cases, the only element of choice given to the phisher is whether or not to use that particular system. The only thing they can really do to counteract vigilantism is to patch the systems they hack into while leaving their own backdoors in place.

You're definitely right, though, that if this vigilante trend picks up, the phishers will change methods in order to rip people off.

Re:Retribution

[serutan]

I have a little PHP script that I use whenever I get a phishing email...

Post it on Planet Source Code [planet-source-code.com] -- thousands of people could be using it tomorrow.

Re:justice

[bkissi01]

There are web pages that send a "flash mob" [aa419.org] to their sites. You disable your browsers cache and then open the web page [aa419.org] and it repeaditly loads images from the 419 sites. If a lot of people have the page open it will consume all of the bandwidth of the 419 sites. Kind of like the Make Love Not Spam [makelovenotspam.com] screensaver that Lycos made. Essentially by a bunch of people constandly downloading the images from the sites it creates a DDoS attack on the site. I'm not too sure about the legality of an "attack" like this, but it is a cool idea.

Re:"Old West Tactics"

[videha]

I think the term vigilante is not correct in this instance. From Encarta dictionary;

law-enforcing citizen: somebody who punishes lawbreakers personally and illegally rather than relying on the legal authorities
Microsoft® Encarta® Reference Library 2005. © 1993-2004 Microsoft Corporation. All rights reserved.

This seems more like crime prevention. One would hope that the prevention of a crime, especially without causing harm, would be considered a duty.

I would like to say "good work" to the whitehats.

Re:Jury nullification

[Xoder]

The grandparent is referring to the US (and possibly elsewhere) rarely-used practice of Jury Nullifcation. The jury essentially says that, yes, the accused is guilty of the crime stated, but the activity should not be a crime, and so we will not convict. Judges and prosecutors hate that, and will often refuse a juror if he mentions knowledge of the statute.

COME ON, LET'S DO IT!

[Anonymous Coward]

http://www.aa419.org/vampire/ladvampire.html [aa419.org]

I'm hijacking this spot to repeat an important post made further down the page.

EVERYBODY, open that URL in a new window/tab and let it run. You can have it in the background or minimise it. Bookmark it. In fact, make it your start page if you don't already have any useful start page.
"The Lad Vampire" automatically reloads images from fake bank websites used by scammers, exhausting their bandwidth quota.

Let's use the Slashdot effect for something good - overloading nigerian scammers' fake websites.

Re:Jury nullification

[sammy baby]

Actually, there was a case not too long ago where a kid who was a photography buff was arrested for posession of... film canisters. Apparently, someone found them in his locker or on his person and assumed that he was using them to transport drugs. He was arrested, and eventually tried, for possession of drug paraphenalia.

The punchline? Possession of paraphenalia isn't a crime where he lives. (Of course, he wasn't convicted, either.)

Full story here [proliberty.com].

Re:Old west?

[Lillesvin]

Hmm, actually, when I wrote it I wasn't entirely sure of it myself, but after looking it up in my good old Oxford Advanced Learner's Dictionary I'm a bit more sure (not entirely sure still).

It says: vigi-lance n watchfulness; keeping watch; exercise ~. ~ committee (chiefly US) self-appointed group of persons who maintain order in a community where organization is imperfect of has broken down.

So perhaps: s/kind of vigilance/way of excercising vigilance/g

Btw, I'm not a native speaker - as you might have guessed. Though, I still think most people understood what I tried to say. Hopefully... :)